FREAKShow: Why governments meddling with encryption standards hurts us all
FREAK, the latest security vulnerability to be exposed that has implications for millions of supposedly secure websites, is just the most recent example of something privacy and security advocates have been saying for some time: when governments meddle with our security technologies, it hurts us all.
When the State advocates for backdoors into our communications, they cannot secure them properly and malicious actors can get in. When our elected officials pontificate about spying on us to keep society safe, they are showing complete disregard for our personal and digital security and are in fact leaving us all exposed.
For a long time, disastrous encryption policies prevented higher levels of encryption to be exported out of the United States. While weaker forms of security, 512-bit encryption as opposed to the currently used 1024-bit, were thought to be a thing of the past, it has now been found that millions of secure websites and products made by Apple and Google were found to be using this lower level of security as a result of the encryption being baked into the technology.
While FREAK is the result of the fight over the global use of encryption that began in the early days of the Cold War, it holds a strong lesson for today.
Hangover from 1990s
Following the world wars, governments of the world recognised the incredible power of intelligence agencies. They also recognised that communications security would hamper these intelligence agencies. As a result, they colluded to ensure that the only people who could secure their communications, with encryption technology, would be governments themselves through the imposition of export controls designed to restrict foreign availability to strong encryption. The ensuing policy debates and acts of civil disobedience by advocates of encryption, including Privacy International, during what is now referred to as "The Crypto Wars" was ostensibly resolved as the needs of the digital economy and pressure from industry led to liberalisation of export regulations.
Under pressure from U.S. industry in the 1980s and early 1990s, the U.S. began to liberalise the use of encryption by saying that Americans could use strong encryption, but the rest of the world would have to suffer with weaker encryption or none at all.
By the late 1990s, this started to fall apart, despite much resistance from the U.S., UK, French and Chinese governments, as we all began to use the internet and we all began to demand strong security technologies to protect our information. Industry had a hard time selling one product for Americans and another weaker security product for non-Americans.
Now, we all use strong encryption in almost every digital transaction we undertake, from card payments to mobile phone calls, and even when we do internet searches and use social networking.
This week's news about FREAK is a key example of the hangover of the 1990s, and what happens when we let intelligence agencies dictate our personal technologies. The FREAK attack manages to ensure that we are all treated like non-Americans, circa the 1990s, where we are treated to weaker encryption standards because governments wouldn't allow for anything more secure. Your security gets reduced by standards that you don't understand, decided by unaccountable agencies decades ago.
The lesson from FREAK
It's not just a relic of that older era, sadly. The discrimination within U.S. law still continues, where U.S. users of the internet are protected differently than non-Americans. Other states are continuing to weaken or undermine our personal security by advocating for “no private spaces” on the internet. It was only a few months ago when Prime Minister David Cameron called for a ban on end-to-end encryption and peers in the House of Lords attempted to resurrect the previously defeated Snooper’s Charter. GCHQ boss Robert Hannigan called the internet, one of the world’s most important platforms for freedom of expression and communication, a “command and control network of choice" for terrorists. Law enforcement officials in the United States continue to drum on about “going dark” and not being able to access our devices at any time they choose. We know that NSA and GCHQ are stealthily trying to influence or weaken encryption standards and bodies, and hack the encryption developed by companies we all use. Now China wants access too.
If you want to know what the future would look like if the programmess and policies governments are pushing now came to pass, just take a look at FREAK and the mess left behind by bad decision-making.
Everyone from Apple to Google to even the NSA are scrambling to patch the vulnerability. Millions of websites are affected. An untold number of people have been compromised, meaning their bank details, health records, and personal information could have been snatched by anyone with the resources to exploit the FREAK bug. Modern security is about ensuring that practically no one institution could exploit our systems. FREAK shows that we are hobbled so easily.
And all this is because the State had the arrogance to think that weak encryption standards would only affect people “over there” or “just the bad guys.” We all use the same internet and undermining its security hurts everyone, from the office techie to our politicians to your mother who is paying the bills through online banking.
At the moment, we are all paying the price for short-sighted decisions that were made over 50 years ago. That is why it is so important to not lose sight about what is at stake.
Choices we make about the security today will have a lasting impact on how we use technology in the future. Rhetoric about preventing criminals and terrorists from having “safe spaces” must be resisted, because these are the same arguments that got us into the mess that is FREAK.